How can an insider threat interact with HIPAA regulated information?
June 19, 2018
By Isaac Kohen
HIPAA (Health Insurance Portability and Accountability Act) has been a long-standing standard for data privacy and security.
However, there is a threat brewing that poses a risk to companies maintaining HIPAA related data. This threat is located outside of HIPAA’s grasp and situated inside of healthcare organizations.
HIPAA’s regulations traditionally apply to external threats, which is not effective with this evolving threat since it is internal. This leaves healthcare organizations hurrying to address the human factor-based threat.
The human factor is unpredictable and a key factor in insider threats. IBM stated in 2014 that human error is a contributing factor to 95% of data security events. For most healthcare entities, experiencing an insider attack equates to a data breach or HIPAA violation.
Insider threats can impact the financial bottom line. The Ponemon Institute’s 2018 Cost of Insider Threats: Global Organizations report concluded the following:
The insider threat is wreaking havoc on healthcare data sets; this will continue as trends and inside threats evolve. Sensitive electronic personal health information (EPHI), computerized physician order entry (CPOE), and electronic health records (EHR) are at risk of being stolen and exploited.
HIPAA Journal shares that, “according to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.” As threats go unnoticed an organization is inputting, transferring and maintaining more EPHI (electronic protected health information). The organization is oblivious to their vulnerable state allowing data to be stolen, exposed, and the insider to continue their exploitation.
The uptick in insider threat attacks is largely related to the data value, potential profit and mass amount of health related data. It’s common knowledge to criminals that more health records and sensitive health related data are now in a digital format.
Citrix Chief Security Strategist Kurt Roemer explains: “There's a lot of data that winds up on end points, a lot of data that's very distributed. You have a lot of healthcare professionals that are contractors and other third parties and operate as independents and maybe work for multiple facilities. Patient care must also be swift, so sometimes security measures are dialed down or updates are delayed, so they do not interfere with patient care. Unfortunately, that sets up a perfect storm for healthcare ransomware.”
Who is an insider?
An insider is any individual that has access to sensitive data in a company. A current or past employee, a third-party vendor or any business associate all have the ability to be or become an insider threat.
Here’s an example of an insider threat. An employee has been with a company for four years and is disappointed when they are passed up for promotion. An employee’s disdain can fester and develop into threatening, malicious behavior. On their last day at the company, they download sensitive patient data files to a USB.
In the past, healthcare companies were able to filter out potential threats through background checks, however, this is now not enough. An employee that initially passes all background checks during onboarding can later change their behavior. The insider threat is constantly evolving.
Furthermore, vendors do not typically get screened at any point in the relationship, and they might have different security practices from your own. As they still have access to healthcare data, they are an inside risk waiting to fester.
The four types of insiders and how they relate to healthcare
There are four categories we recognize as typical insider threats.
Oblivious Insider – This insider is not malicious in nature, but their actions are leaving your organization open to threats. This individual may not be well-versed in cybersecurity safeguards and have no idea that their behavior is compromising the company. Also, this insider may not realize the organization is in a breached state.
Real case example:
● A cloud-based calendar was created and detailed with patient information, appointments and procedures resulted in a HIPAA fine of $100,000 for a physician group.
Negligent Insider – The negligent insider is aware of cybersecurity policies and practices, but ignores them. They may also be heedless in regard to ensuring safe practice with physical data storage devices (failing to lock a cabinet or writing the PIN to an office in plain sight). This individual may ignore the policies and practices in order to achieve workplace efficiency. Their careless approach places your company and data in danger. This insider is most vulnerable to a social engineering attack.
Real case example:
● In 2017 a cardiac monitoring vendor’s vehicle was broken into and a laptop containing EPHI and EHR was stolen. The theft of the laptop resulted in OCR concluding to a $2.5 million fine with the vendor.
● A private physician office was found in violation of HIPAA in 2016 when they lost an unencrypted flash drive that had EPHI on it.
Malicious Insider – The malicious insider is dangerous and has ill intentions. They may be a disgruntled or angry employee seeking to cause damage or harm your company via insider sabotage. This insider causes direct harm to your organization, and they may delete or transfer EPHI off-site to leak. 55% of malicious insiders are looking to monetize sensitive data, as found by CIO Insight.
Real case example:
● UCLA Health System experienced a breach when a fired surgeon accessed their medical record database on over 300 occasions. The ex-surgeon illegally accessed and viewed EHR of coworkers, supervisors, and celebrities as well.
Professional Insider – This insider may be an employee, but took the job to simply exploit data. This individual makes a living off of exploiting companies, stealing and selling sensitive data. The professional insider is calculated and may have stolen data from an organization before.
Real case example:
● A hospital employee was arrested and fined in 2014 for illegally accessing and disclosing EPHI and EHR. The employee convicted of this crime had the intent of selling this information for personal profit.
How to prevent insider threat and HIPAA violation
The digitization of healthcare data is both a blessing and a curse. Adopting a proactive, forward-thinking approach through awareness, policies, and technology enables your healthcare entity to actively monitor and prevent the insider threat. Successfully preventing and detecting each insider threat may not be possible, but executing data security efforts is necessary for HIPAA compliance. OCR further stresses appropriate access to data, creating and managing end user accounts to protect against the insider threat and maintain HIPAA. The examples stated in this article are everyday opportunities for an insider threat to interact with and exploit HIPAA-regulated information.
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior, in addition to helping teams to drive productivity and efficiency.
HIPAA (Health Insurance Portability and Accountability Act) has been a long-standing standard for data privacy and security.
However, there is a threat brewing that poses a risk to companies maintaining HIPAA related data. This threat is located outside of HIPAA’s grasp and situated inside of healthcare organizations.
HIPAA’s regulations traditionally apply to external threats, which is not effective with this evolving threat since it is internal. This leaves healthcare organizations hurrying to address the human factor-based threat.
The human factor is unpredictable and a key factor in insider threats. IBM stated in 2014 that human error is a contributing factor to 95% of data security events. For most healthcare entities, experiencing an insider attack equates to a data breach or HIPAA violation.
Insider threats can impact the financial bottom line. The Ponemon Institute’s 2018 Cost of Insider Threats: Global Organizations report concluded the following:
- While the mean cost of an insider threat is $8.7 million, the survey tallied the maximum cost at nearly $26.5 million. The minimum cost, meanwhile, is still significant at $489,100. Can your business sustain a financial blow due to insider threats? Let’s add on top of these costs, the HIPAA monetary fines.
The insider threat is wreaking havoc on healthcare data sets; this will continue as trends and inside threats evolve. Sensitive electronic personal health information (EPHI), computerized physician order entry (CPOE), and electronic health records (EHR) are at risk of being stolen and exploited.
HIPAA Journal shares that, “according to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.” As threats go unnoticed an organization is inputting, transferring and maintaining more EPHI (electronic protected health information). The organization is oblivious to their vulnerable state allowing data to be stolen, exposed, and the insider to continue their exploitation.
The uptick in insider threat attacks is largely related to the data value, potential profit and mass amount of health related data. It’s common knowledge to criminals that more health records and sensitive health related data are now in a digital format.
Citrix Chief Security Strategist Kurt Roemer explains: “There's a lot of data that winds up on end points, a lot of data that's very distributed. You have a lot of healthcare professionals that are contractors and other third parties and operate as independents and maybe work for multiple facilities. Patient care must also be swift, so sometimes security measures are dialed down or updates are delayed, so they do not interfere with patient care. Unfortunately, that sets up a perfect storm for healthcare ransomware.”
Who is an insider?
An insider is any individual that has access to sensitive data in a company. A current or past employee, a third-party vendor or any business associate all have the ability to be or become an insider threat.
Here’s an example of an insider threat. An employee has been with a company for four years and is disappointed when they are passed up for promotion. An employee’s disdain can fester and develop into threatening, malicious behavior. On their last day at the company, they download sensitive patient data files to a USB.
In the past, healthcare companies were able to filter out potential threats through background checks, however, this is now not enough. An employee that initially passes all background checks during onboarding can later change their behavior. The insider threat is constantly evolving.
Furthermore, vendors do not typically get screened at any point in the relationship, and they might have different security practices from your own. As they still have access to healthcare data, they are an inside risk waiting to fester.
The four types of insiders and how they relate to healthcare
There are four categories we recognize as typical insider threats.
Oblivious Insider – This insider is not malicious in nature, but their actions are leaving your organization open to threats. This individual may not be well-versed in cybersecurity safeguards and have no idea that their behavior is compromising the company. Also, this insider may not realize the organization is in a breached state.
Real case example:
● A cloud-based calendar was created and detailed with patient information, appointments and procedures resulted in a HIPAA fine of $100,000 for a physician group.
Negligent Insider – The negligent insider is aware of cybersecurity policies and practices, but ignores them. They may also be heedless in regard to ensuring safe practice with physical data storage devices (failing to lock a cabinet or writing the PIN to an office in plain sight). This individual may ignore the policies and practices in order to achieve workplace efficiency. Their careless approach places your company and data in danger. This insider is most vulnerable to a social engineering attack.
Real case example:
● In 2017 a cardiac monitoring vendor’s vehicle was broken into and a laptop containing EPHI and EHR was stolen. The theft of the laptop resulted in OCR concluding to a $2.5 million fine with the vendor.
● A private physician office was found in violation of HIPAA in 2016 when they lost an unencrypted flash drive that had EPHI on it.
Malicious Insider – The malicious insider is dangerous and has ill intentions. They may be a disgruntled or angry employee seeking to cause damage or harm your company via insider sabotage. This insider causes direct harm to your organization, and they may delete or transfer EPHI off-site to leak. 55% of malicious insiders are looking to monetize sensitive data, as found by CIO Insight.
Real case example:
● UCLA Health System experienced a breach when a fired surgeon accessed their medical record database on over 300 occasions. The ex-surgeon illegally accessed and viewed EHR of coworkers, supervisors, and celebrities as well.
Professional Insider – This insider may be an employee, but took the job to simply exploit data. This individual makes a living off of exploiting companies, stealing and selling sensitive data. The professional insider is calculated and may have stolen data from an organization before.
Real case example:
● A hospital employee was arrested and fined in 2014 for illegally accessing and disclosing EPHI and EHR. The employee convicted of this crime had the intent of selling this information for personal profit.
How to prevent insider threat and HIPAA violation
Isaac Kohen
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior, in addition to helping teams to drive productivity and efficiency.